If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

WARNING: do NOT visit any of the links I'm about to post unless you know what you're doing, you think you know what you're doing, or you don't care what happens to your PC either way. That said, some of these links I'm about to post should be safe, and I'll mark them as such.

Yep, there's definitively something wrong here. This is what I found inside the source of this page:

EDIT: the iFrame is injected by the following bit of javascript code:http://pastebin.com/XsmMHBza (this should be safe to visit if you want to look at some JavaScript, but don't be alarmed if your virus scanner thinks this is a virus, too. Some do that).

I've seen that kind of thing before. Nasty decoding/evalling stuff. This bit of javascript is hosted at

EDIT: Checked the link posted by thegooseking, which says the following:

You're using vBulletin 4.1.3. There are several exploits in that version that were fixed in subsequent versions and security patches. You should upgrade to vBulletin 4.1.9. You also need to make sure your addons are up to date so that they don't have potential exploits in them.

The RPS forums are running 4.1.3. There are known exploits for that version. The forum software should be updated. Someone used a known exploit to inject some code (probably automatically), which means they probably have (had?) access to the server, which may mean that they know your password, depending on what they modified. Be vigilant, but changing your password now may be a bit silly until the forum software has been patched to deal with this intrusion. That said, I know that vBulletin by default uses some proper salting techniques, so you might be somewhat safe (again, depending on which files were modified, and in what way they were modified).

Last edited by Megagun; 20-12-2011 at 08:59 PM.
Reason: Moved the JavaScript to Pastebin, so that my post isn't flagged as containing a virus by your virus scanner. :)

Regardless, change your password and remember to change it on other websites where you used the same password. If someone was able to inject an iFrame, they were able to inject other nasty stuff.

As far as I was able to detect, the nasty bits we talked about in this thread have been cleaned up and fixed. Not sure if there's more nastyness somewhere else, but at least this particular case of nastyness has been dealt with.

Would be nice if RPS could post a quick bit on the front page that they've been compromised and that people should consider taking protective measures.

"You go up to a man, and you say, "How are things going, Joe?" and he says, "Oh fine, fine — couldn't be better." And you look into his eyes, and you see things really couldn't be much worse. When you get right down to it, everybody's having a perfectly lousy time of it, and I mean everybody. And the hell of it is, nothing seems to help much." - Kurt Vonnegut, Jr.

Yes, it may have (it depends on what the breach was and if anything other than the forum software was affected), but no-one who has an account here and happens to read the "Rock, Paper Shotgun Discussion" forum would know about what happened, and nowhere was anything clarified with regards to what happened and how severe the breach was.

Right now, we have to assume that all passwords and user accounts/e-mail addresses were stolen, until we hear some official words regarding these matters (and proper investigation has been done). This also means that not sending a mass-email out to anyone who has an account here is a huge oversight.

I've been meaning to post for a while, sorry, didn't quite get round to it.

The forums were breached by an injection vulnerability in vBulletin. It was an automated breach - very, very little human involvement. It didn't go beyond the forums - the main site was unaffected (hence it staying online when we took the forums offline). As far as we can determine, they didn't steal any data, and only injected nefarious code into the site. It was cleaned out after we took the forums down - we took a copy of the code, reloaded the forum files from backups, updated the forums and brought them back online.

As to password security, they are stored salted and encrypted. As with any security matter, using the same password on multiple sites, as tempting as it is, is a bad idea, and we recommend against you doing that.

The reason an email didn't go out, was due to the lack of data theft - be assured, we would ask the RPS team to let you know if we did have evidence of emails/passwords/usernames being downloaded.

"Quantacat's name is still recognised even if he watches on with detached eyes like Peter Molyneux over a cube in 3D space, staring at it with tears in his eyes, softly whispering... Someday they'll get it."